During my update of RedHat I failed to backup my firewall script and so I am trying to recreate it and was wondering if someone would give me input into how to improve it. To outline what I have:
1. Set variables for interfaces/networks 2. Create a Table to block traffic from reserved and private networks 3. Create a Table for blacklisted hosts 4. Create a Table for explictly blocked and logged ports 5. Create a Table for icmp packets 6. Create a Table for allowed packets 7. enable the loopback interface 8. pass packets coming in internet interface to drop packets coming from reserved networks. 9. pass packets going out internet interface to drop packets going to reserved networks. 10. pass packets coming in internet interface to drop blacklisted hosts 11. pass packets coming in internet interface to drop blocked ports 12. pass packets coming in internet interface to filter icmp packets 13. pass packets to allow incoming traffic 14. drop all remaining packets Basically, All rules drop packets except, where I am opening the loopback interface, allowing icmp packets or allowing specific traffic. I guess I would like to know if the following snippit that allows specific ports is correct or if there are suggestions on how to improve it? ########################################################################## # CREATE A TABLE TO ALLOW PACKETS ON SPECIFIC PORTS # ########################################################################## $IPTABLES -N ALLOWED_CONNECTIONS # ACCEPT ALL TRAFFIC FOR ESTABLISHED OR RELATED CONNECTIONS $IPTABLES -t filter -A ALLOWED_CONNECTIONS -i $INTERNET_IFACE -m state \ --state ESTABLISHED,RELATED -j ACCEPT # ACCEPT ALL TRAFFIC NOT COMING FROM THE INTERNET $IPTABLES -t filter -A ALLOWED_CONNECTIONS -i ! $INTERNET_IFACE -m state \ --state NEW -j ACCEPT ### ALLOWED PORTS FOR TRAFFIC ORIGINATING FROM THE INTERNET ### # # 22 ssh # 80 http # 443 https # ### PORT_LIST="22 80 443" for PORT IN $PORT_LIST do $IPTABLES -t filter -A ALLOWED_PORTS -i $INTERNET_IFACE -j ACCEPT done # DROP ALL OTHER NEW OR INVALID CONNECTIONS $IPTABLES -t filter -A ALLOWED_CONNECTIONS -i $INTERNET_IFACE -m state \ --state NEW,INVALID -j DROP The filter I am using to send traffic to this table is: $IPTABLES -t filter -A INPUT -j ALLOWED_CONNECTIONS Thanks, Chad -- redhat-list mailing list unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list